If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ARTICLES ON THE NATIONAL STRATEGY FOR SECURING CYBERSPACE (NSSC)
18 September 2002 NSSC Avoids Regulations; Critics Say it Lacks
Necessary Muscle
16 & 19 September 2002 NSSC Summary
17-19 September 2002 Variety of Experts Chat With Washington Post
About the NSSC
17 September 2002 Home Users Know the Drill but Don't Abide By It

A TIME LINE
18 September 2002 Cyber Security Time Line

xmaddness's side note:
We are actually holding discussions here at AntiOnline about what we, the security/Computer Admins, would like to see added to this this bill. If you would like to be involved send me a Private Message.

FREE WEB BROADCAST: October 2, 1:00 PM EDT (1700 UTC).
Dustin Childs covers the basics of event logs in Windows NT and 2000,
the managing of logs, and when you can and cannot completely trust
those logs. Listen live and ask questions, or, once you have an access
code, sign on later to listen to the web cast at your leisure.
Register in advance to get the handouts:http://sans.digisle.tv/audiocast_100202/brief.htm

--17-19 September 2002 Variety of Experts Chat With Washington Post
About the NSSC
Online transcripts of chats with various people about NSSC
Alan Paller (SANS):http://www.washingtonpost.com/wp-srv...ller091802.htm
Scott Charney (Microsoft):http://www.washingtonpost.com/wp-srv...rney091702.htm
Richard Smith:http://www.washingtonpost.com/wp-srv...mith091902.htm
[Editors' Comment on the Strategy:
(Ranum) It's not a strategy; it's a statement of the obvious. It
would have been more effective if The President simply asked the
hackers to be nice and cease and desist.
(Murray): Did anyone find any mention of cryptography? I found
no mention of strong authentication (except for home users; weak
passwords on their systems are not being attacked). I found no mention
of closed networks. Anyone find any mention of holding edge connectors
responsible for their traffic or for enforcing source IP addresses? The
report's solution to the broken transport layer is to avoid the use
of wireless. Its solution to the problem of weak systems connected
to the Internet is more "patch and fix." Did anyone find mention of
safe defaults? Are all these things too controversial even to float?]

xmaddness's side notes:
We have been reading through this, and one thing I noticed was that they use the term "Hacker", to describe a malicious cracker. That right there tells me they did not spend enough time with the actual security/hackers to know what to really look for. We need to stop letting the big dogs write bills that will do nothing. Again, PM me if you would like to contribute.

--17 September 2002 Home Users Know the Drill but Don't Abide By It
The recently released draft of the National Strategy to Secure
Cyberspace recommends that home users deploy firewalls, use
regularly updated anti-virus software, create strong passwords,
install all necessary patches and use common sense about e-mail and
downloads. Though these pieces of advice are well-known, many home
users do not adhere to them.http://www.washingtonpost.com/wp-dyn...2002Sep17.html

A TIME LINE

--18 September 2002 Cyber Security Time Line
This page offers a brief time-line of computer bugs, viruses, worms
and attacks from the 1945 moth in Navy computer relays to the Morris
worm to Melissa author David Smith's sentencing. Also includes cyber
milestones such as the development of ASCII, the launch of ARPANET
and the appointment of the nation's first "cyber security czar."http://www.washingtonpost.com/wp-dyn...2002Jun26.html
[Editor's Note (Northcutt): I enjoyed the retelling of the cyber
security story. It appears the rate of change in security is
accelerating.]

THE REST OF THE WEEK'S NEWS

--23 September 2002 Suspected Slapper Author Arrested; New Variant
on the Loose
A man has been arrested on suspicion of authoring the Slapper worm;
the worm evidently was sending infected machine addresses back to
his Ukraine-based e-mail address. Though the original Slapper worm
activity appears to be calming down, a variant has been detected in
the wild and has been spreading in Australia.http://www.vnunet.com/News/1135274http://www.news.com.au/common/story_page/0,4057,5151968^15306,00.html

--23 September 2002 al Qaeda May Have Structural Analysis Software
According to an FBI bulletin, a computer belonging to a bin Laden
associate contained software that can be used to find structural
weaknesses in large structures like dams and skyscrapers.http://news.com.au/common/story_page/0,4057,5149311^421,00.html

--21 September 2002 Client Employee Arrested for Data Theft
A Chinese oil company employee who was receiving training to use
advanced seismic imaging software from 3DGeo Development was arrested
after it was alleged that he had accessed 3DGeo proprietary code and
copied it onto his laptop. If convicted, Shan Yan Ming could face
five years in prison and a $250,000 fine.http://www.bayarea.com/mld/mercuryne...ss/4121880.htm

--20 September 2002 Cisco VPN 5000 Vulnerabilities
Security holes in Cisco VPN 5000 Client software could allow an
attacker to attain root access to local workstations running the
software or to grab passwords. The root access hole affects the 5.2.7
for Linux and 5.2.8 for Solaris versions of the software, while the
password vulnerability is present in the version for Macintosh in
all versions prior to 5.2.2. Cisco has placed updates on its website.http://www.idg.net/ic_950944_5055_1-2793.html

--20 September 2002 VeriSign Won't Disclose .gov Info
VeriSign Inc. will no longer supply the public with data about the
.gov Internet domain because the company fears the information could
be used to plot cyber attacks.http://www.theregister.co.uk/content/55/27210.html

--20 September 2002 Oregon Cyber Security Awareness Program for Youth
The Hillsboro, Oregon police department plans to launch a cybersecurity
awareness program aimed at young people. The Cyber Awareness,
Responsibility and Ethics program will begin at the Boys and Girls
Clubs of Hillsboro and eventually spread to the schools. The program
hopes to educate area youth about the effect their actions can have;
it will also encourage constructive cyber experimentation under the
guidance of other young people.http://www.oregonlive.com/metrowest/...3123238162.xml
[Editor's Note ]Schultz): Ultimately, strategic gains in the
information security arena will be due to efforts like the one
described in this news item. The next generation merits our full
attention when it comes to security education and awareness.]

--20 September 2002 XP Service Pack Causes Problems
A small group of Windows XP customers has reported having problems
with the operating system's first service pack which was released on
September 9th. Among the problems cited are slow-running machines,
unstable systems and crashing programs.http://www.pcworld.com/news/article/0,aid,105144,00.asp
[Editor's Note (Murray): Toshiba advised me to re-install XP from
scratch to get rid of the service pack.]

--19 September 2002 Disgruntled Former Employee Gets Prison Sentence
for Erasing Company Data
A UK computer engineer who botched a job went back into the company's
computer system and wiped out their data after the company refused to
pay his bill; Stephen Carey had altered the company's computer system
so he could access the database from home. Police who seized the man's
home computer found that the time the files were destroyed matched
the time his home computer was connected to the company's. Carey
received an 18-month prison sentence for unauthorized modification
of computer material.http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=9061

--19 September 2002 Nokia Decries Warchalking
Nokia has issued an advisory condemning warchalking, the practice of
marking the locations of wireless access points outside buildings. The
company maintains that people who use bandwidth without paying for
it are thieves. A number of readers' comments are posted along with
the article.http://news.bbc.co.uk/2/hi/technology/2268224.stm

--18 September 2002 Gartner Advises Waiting to Deploy Yukon
Analysts are warning users not to deploy the upcoming version of
Microsoft SQL server, known as Yukon, because it is likely to contain
numerous security holes. Gartner is advising users to wait for the
release of Service Pack 1.http://www.vnunet.com/News/1135116
[Editor's Note (Schultz): The competence of this advice from the
Gartner Group is extremely dubious. It appears to be a massive
overgeneralization that does not take this specific product into
account. Did the Gartner Group even ask Microsoft how this product
fared with security testing? What about Windows XP? It would be
difficult to claim that it was full of security holes (although
some [(Paller) *many*] were discovered) and should thus not be used
until SP1 was available. Also, the statement to the effect that if an
organization uses Yukon, it should minimize the services that are run,
adds absolutely nothing. You should always run only essential services,
regardless of whether the product is a Microsoft product.]

--18 September 2002 Bush Appoints 24 to NIAC
President Bush has appointed 24 people to the National Infrastructure
Advisory Committee (NIAC). The committee makes recommendations about
national security and economic critical infrastructure cyber security;
it also addresses cyber security partnerships between the public and
private sectors. The council members are drawn from major economic
sectors, like energy, transportation and banking, and from law
enforcement, academia and state and local government.http://www.whitehouse.gov/news/relea...020918-12.html

--17 & 18 September 2002 Norton Found In Contempt of Court for
Failing to Address Computer Security Issues
Interior Secretary Gale Norton and Assistant Secretary for Indian
affairs Neal McCaleb have been found in contempt of court for failing
to adequately address vulnerable computer systems that manage Indian
trust fund accounts. The entire Interior department was taken off
line late last year when it became clear that its computer systems
lacked adequate security.http://www.fcw.com/fcw/articles/2002...t-09-17-02.asphttp://www.gcn.com/vol1_no1/daily-updates/20053-1.html

xmaddness's side note
This is one of the things that we are also discussing in our bill, a .gov to force companies to patch theirs holes.

--17 September 2002 Glue: The Latest in Anti-Piracy Technology
In yet another attempt to thwart music pirates, one record company is
giving reviewers CDs sealed into players with headphone jacks sealed
so the CD cannot be re-recorded. At least one reviewer was able to
retrieve the CD, however.http://www.iht.com/articles/70893.htmlhttp://www.vnunet.com/News/1135077

--16 September 2002 Senate Homeland Security Bill Would Broaden
Indemnity
An amendment to the Senate's version of the Homeland Security Bill
would have the government pay liability damages beyond the private
coverage held by designated homeland security vendors. Critics are
concerned that the extension of this indemnity would have a negative
impact of the quality of security products.http://www.computerworld.com/governm...,74279,00.html

--16 September 2002 Analysis Finds More Government Sites Have
Security and Privacy Policies
Brown University's Center for Public Policy analyzed 1,265 federal
and state government web sites; among their findings were marked
increases in the number of sites with security and privacy policies
when compared with the sites last year. The study also noted that
some sites restrict access to certain information.http://www.gcn.com/vol1_no1/daily-updates/20026-1.html

--16 September 2002 Informal Airport LAN Audit Reveals Lax Security
A recent audit of wireless LANs at airports in Chicago, San Francisco,
San Diego and Atlanta revealed that many were not running even basic
security measures; only about 25% of the access points had the WEP
protocol turned on. Some access points were found to be broadcasting
DCHP. The audit was informal, conducted as an executive at a security
research firm traveled through various airports over the course of
a week.http://www.computerworld.com/mobilet...,74271,00.html

--16 September 2002 Sites Still Vulnerable to Cross-Site Scripting
A significant number of web sites are vulnerable to cross-site
scripting attacks, despite warnings about the problem that have been
out for six months. Crackers have exploited the vulnerabilities to
publish phony press releases and to steal credit card information
and cookies. Addressing the problem on each site can be complicated
and time consuming. It is also possible that because the affected
site is the party delivering the malicious code, it could be liable
for damages.http://www.vnunet.com/News/1135064

ARTICLES ILLUSTRATING CHANGES IN INFORMATION WARFARE
(Northcutt) The next two articles help us understand the future of
information warfare. Malicious code is essentially asymmetric. It is
a lot cheaper to write a worm than to clean up after one has infected
your systems. A determined adversary with a substantial technology
base could create a variety of attacks that have never been seen
before and release them at the same time. As long as they do not
gain entry into specialized command and control networks that are
supposedly not connected to the Internet, the result is more likely
to be a nuisance than a nightmare. As Ed Skoudis put it, "I'm looking
forward to an Internet 'snow day', I could use the rest".

--16 September 2002 ABCNews Hired Firm to Test CA Police
Dept. Security From Afar
In a "swarming attack," terrorists would attack both physically and
on the cyber space front; the forthcoming National Strategy to Secure
Cyberspace is designed to address such concerns. In an effort to
discover what kind of havoc hackers could wreak from afar, ABCNews
hired a Colorado Springs-based computer security consulting firm
to break into a California police department's computer system. The
hackers mapped the department's network, sent a phony e-mail from the
chief to a detective, and tried to send the chief a Trojan horse,
which was blocked by the department's virus detection system. They
also sent fake warnings to every screen in the department before they
disclosed their identity. The police department officials were aware
that the attack was going to take place; they just didn't know when.http://abcnews.go.com/sections/wnt/D...ror020913.html

--16 September 2002 Nimda Changed IT Security Thinking
The spread of the Nimda worm had a greater effect on cyber security
than did the September 11th terrorist attacks. The worm, which
debuted a year ago, spread not only through e-mail attachments,
but also through shared files on servers. It broadened the focus
of security to encompass not only network and perimeter security,
but application and database security as well. It also drove home
the point that patches and updates need to be applied quickly.http://www.computerworld.com/securit...,74284,00.html